Describing Security for the SAP S/4HANA Cloud Deployment Options

There are three key components in a data center:

• Power Supply: The data center is connected to two separate grid sectors operated by the local utility company. If one sector fails, the second one continues to supply power. The data center also houses 13 diesel generators in a separate building. Together, they produce a total of 29 megawatts.
• Cooling: All electronic components and processors generate heat when operated. If it is not dissipated, the processor's efficiency may decrease to the point that the component could fail. Therefore, cooling a data center is essential - and costly, due to the concentrated computing power.
• Controlled Access: SAP data centers are the backbone of our cloud business. We use state-of-the-art technology and rigorous security to protect data virtually and physically against data breaches, fires, terror attacks, and other threats. Our data centers meet the highest security standards.

All communication between Data Centers is encrypted by industry measures. The detail of implementation varies by solution and data flow.

SAP conduct backups in the form of a disk-to-disk copy, which enables rapid data creation and recovery. In addition to full backups done on a daily basis, we create interim backup versions several times each day. We then archive these at a secondary location for security purposes.

SAP data centers are monitored around the clock with video cameras at every entry point. We use these cameras to record and monitor each access event and log this in our access system for 90 days. Single-person access and "mantrap" systems provide access only to authorized individuals. Technicians can enter special rooms using custom-configured ID cards. High-sensitivity areas require authentication by means of biometric scans.

The multilayered, partitioned, proprietary network architecture permits only authorized access with:

• A Web dispatcher farm that hides the network topology from the outside world.
• Multiple Internet connections to minimize the impact of distributed denial-of-service (DDoS) attacks.
• Layered security measures that continuously monitors solution traffic for possible attacks.
• Multiple firewalls that divide the network into protected segments and shield the internal network from unauthorized Internet traffic.
• Third-party audits performed throughout the year to support early detection of any newly introduced security issues.

• Cloud Identity Services address identity and access management in the cloud. They can be used across the SAP cloud solution portfolio, and they include the Identity Authentication and Identity Provisioning services as a part of SAP Cloud Identity Services.
• Secure Development Services help support the development of secure applications on the Business Technology Platform. These services, such as SAP Cloud Application Programming Model and the Cloud Connector, enable developers to build secure enterprise business applications.
• Risk and Compliance are provided by solutions such as SAP Cloud Identity Access Governance to help security administrators manage risks and meet corporate compliance goals.
• Insight is delivered by SAP through its SAP Trust Center site to provide a transparent view into how SAP manages cloud applications for customers. With SAP Data Custodian, SAP customers can gain insight into the location and movements of data.

Security partners complete the picture by providing generic services such as static code and open source vulnerability scanners.

SAP does not acquire ownership or stewardship of the data processed for the customer when it performs services for cloud solutions. 

A data controller is the entity that determines the purposes, conditions, and means of the processing of personal data. A data processor is an entity which processes personal data on behalf of the controller. The data processor and controller in a cloud environment are the same as within an on-premise environment.

Sub-processors are used for the processing of personal data. They are subject to data protection agreements that contain the same level of protection as the agreements SAP enters with its customers.

SAP has implemented and is maintaining technical and organizational measures (TOMs). These TOMs comprise measures in the following areas: physical access control, system access control, data access control, data transmission control, data input control, job control, availability control, data separation control, and data integrity control.

SAP views the role of the data protection officer (DPO) as a central part of our overall data protection strategy. In addition, SAP has established an entire data protection and privacy (DPP) team that consists of attorneys, auditors, and technical experts reporting to the DPO.

The GDPR is an EU law that went into effect on May 25, 2018. It is a far-reaching and comprehensive regulation that protects the individual rights of data subjects in the EU. GDPR applies to all companies processing personal data of EU-based individuals, regardless of the company's location.

SAP's Data Privacy Agreement is applicable to all of our data center and processing locations, globally.

SAP SE is a German company and is therefore under EU regulation. SAP follows the GDPR regulation introduced by the EU on May 25, 2018. Our Data Privacy Agreement acts as the contract for commissioned data processing and is based on the most current applicable data protection regulation. Each company must consider its own local laws and regulations when conducting business.

We are fully committed to complying with all relevant legislation. This includes GDPR and other data protection laws such as the Japan Social Security and Tax Number regulation, the Argentina Personal Data Protection Act, and Canadian privacy laws.

There is no difference between cloud and on-premise solutions because GDPR applies to businesses and their processes, not products. Compliance is a result of business processes that meet the requirements of the law. Both cloud and on-premise software can help make those processes happen. A benefit to cloud software is that it can be updated more frequently, ensuring the latest functionality and standards are in place.

Transfers of personal data between the U.S. and EU are based on EU standard contractual clauses (SCCs). According to GDPR, SCCs are approved as appropriate safeguards. This provides a lawful mechanism of transferring personal data outside the EU and EEA and forms a legally binding agreement between SAP global entities that establishes requirements for a baseline protection of personal data.